Skip to content
Borough Nexus logoBorough Nexus

Privacy Policy

Last updated: January 2026

1. Introduction

Borough Nexus (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect personal data when you use our websites and services.

We act as the data controller for personal data processed through our services.

2. Data We Collect

2.1 Information You Provide

  • Account data: Email, name, password – for authentication and communication
  • Profile data: Professional details, preferences – for service personalisation
  • Payment data: Card details (via Stripe) – for billing and subscriptions
  • Content data: Time entries, notes, files – for service functionality
  • Communications: Support requests, feedback – for customer service

2.2 Information Collected Automatically

  • Usage data: Pages visited, features used – for service improvement
  • Device data: Browser type, operating system – for technical support
  • Log data: IP address, access times – for security and debugging

3. How We Use Your Data

3.1 Legal Basis

Under GDPR, we process your data based on:

  • Contract performance: Account data, content data, payment data
  • Legitimate interest: Usage analytics, security logs
  • Consent: Marketing communications
  • Legal obligation: Financial records, regulatory requirements

3.2 Purposes

We use your data to:

  • Provide and maintain our Services
  • Process payments and manage subscriptions
  • Communicate about your account and our Services
  • Improve and develop new features
  • Detect and prevent fraud or abuse
  • Comply with legal obligations

3.3 Marketing

We may send marketing communications if you have opted in. You can unsubscribe at any time via the link in each email or through your account settings.

4. Data Sharing

4.1 Third-Party Processors

We share data with service providers who help us operate:

  • Stripe: Payment processing (US/EU)
  • Cloudflare: CDN, security (Global)
  • OpenAI: Transcription for certain services (US)

4.2 When We Share Data

We may share personal data:

  • With your consent
  • To comply with legal obligations
  • To protect our rights or property
  • In connection with a business transfer (merger, acquisition)

We do not sell personal data.

5. Data Retention

  • Account data: Until account deletion
  • Content data: Until account deletion
  • Payment records: 7 years (legal requirement)
  • Usage logs: 30 days
  • Error logs: 90 days

6. Data Location

6.1 Primary Storage

Our primary databases are hosted in the United Kingdom on self-hosted infrastructure.

6.2 International Transfers

Some data may be processed outside the UK. We ensure appropriate safeguards are in place for all international transfers, including standard contractual clauses.

7. Data Security

We implement appropriate technical and organisational measures:

  • Transit: TLS 1.3 encryption
  • Storage: Encrypted volumes
  • Backups: AES-256 encryption
  • Access: Role-based access control
  • Authentication: Secure password hashing

8. Your Rights

Under GDPR, you have the right to:

  • Access: Obtain a copy of your data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data
  • Portability: Export your data
  • Objection: Object to certain processing
  • Restriction: Limit how we process your data
  • Withdraw consent: Remove consent for marketing

We respond to requests within 30 days.

9. Data Breach Response

In the event of a data breach:

  • Identify and contain – Immediate
  • Assess risk to individuals – Within 24 hours
  • Notify ICO if high risk – Within 72 hours
  • Notify affected users if high risk – Without undue delay
  • Document and remediate – Ongoing

10. Children's Privacy

Our Services are not directed at individuals under 18. We do not knowingly collect data from children. If we become aware of such collection, we will delete the data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through our Services. The “Effective Date” at the top indicates the latest version.

12. Contact Us

For privacy-related questions or to exercise your rights:

Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Phone: 0303 123 1113
← Back to home